PART 1: CONFIGURE MPLS VPN USING OSPF:

SCENARIO: Your just signed a contract with an ISP for connecting two sites together using MPLS. The P router is the router used for the MPLS backbone. The other two routers are PE" routers which are used to connect you to the ISPs MPLS backbone. You will be running OSPF as your internal routing protocol (IGP) and the MPLS backbone will also be running OSPF as the IGP.

Every router has a loopback0 interfaced configured as following: HQ: 1.1.1.1 /32 PE1: 2.2.2.2 /32 P2: 3.3.3.3 /32 PE2: 4.4.4.4 /32 BRANCH: 5.5.5.5 /32 All IP addresses have been preconfigured. Configure OSPF Area 0 at the provider side (Router PE1, PE2 and P). Advertise the loopback interfaces as well in OSPF. Ensure you have full reachability in the OSPF domain. Configure MPLS on all physical interfaces in the service provider domain, do not configure MPLS on physical interfaces pointing towards the customer. Configure VRF "customer" on PE1 and PE2 as following: RD 100:1 Route-target both 1:100 On router PE1 and PE2 add the interfaces pointing towards the customer to the VRF you just created. Ensure you can ping from within the VRF, try this as following on PE1: ping vrf customer 192.168.12.1 Configure OSPF Area 0 on router HQ and Branch. Advertise the loopbacks as well. Configure OSPF on router PE1 and PE2 for the correct VRF "customer". Ensure you receive prefixes from the customer routers on your PE routers. Configure BGP AS 1 between Router PE1 and PE2. Configure the correct BGP address families and make sure communities are sent between neighbors. Redistribute OSPF into BGP, use the correct address-family for the VRF "customer". Ensure you have full connectivity between router HQ and Branch. You should see each other's OSPF routes that have been carried over the service provider's MPLS backbone. The OSPF prefixes on the HQ and Branch router are showing up as O IA (Inter-Area). Change this so they show up as E2 routes. Enable OSPF on the serial link between router HQ and Branch, this will be a backup link in case the MPLS Backbone crashes.

You notice packets are being sent through the backup serial link stead of the MPLS Backbone. Make sure all packets are sent through the MPLS Backbone without removing OSPF on the serial link or shutting down the interface. All IP addresses have been preconfigured.

PE1 ! interface Loopback0 ip address 2.2.2.2 255.255.255.255 ! interface FastEthernet0/1 ip address 170.10.10.1 255.255.255.252 no shut ! interface FastEthernet0/0 ip address 100.100.100.1 255.255.255.0 no shut P ! interface Loopback0 ip address 3.3.3.3 255.255.255.255 ! interface FastEthernet0/0 ip address 170.10.10.2 255.255.255.252 no shut ! interface FastEthernet0/1 ip address 170.10.10.5 255.255.255.252 no shut PE2 ! interface Loopback0 ip address 4.4.4.4 255.255.255.255 ! interface FastEthernet0/0 ip address 200.200.200.1 255.255.0 no shut ! interface FastEthernet0/1 ip address 170.10.10.6 255.255.255.252 no shut ASA ! interface Ethernet0/0 ip address 100.100.100.1 255.255.255.0 nameif outside security-level 0 no shut ! interface Ethernet0/1 ip address 10.10.10.1 255.255.255.0 nameif inside security-level 100 no shut ! interface Ethernet0/2 ip address 20.20.20..1 255.255.255.0 nameif outside security-level 50 no shut

Branch ! interface FastEthernet0/0 ip address 200.200.200.10 255.255.255.0 no shut Configure OSPF Area 0 at the provider side (Router PE1, PE2 and P). Advertise the loopback interfaces as well in OSPF. Ensure you have full reachability in the OSPF domain.

1.

PE1 ! router ospf 1 network 2.2.2.0 0.0.0.255 area 0 network 170.10.10.0 0.0.0.3 area 0 passive-interface fa0/0 ! int loopback 0 ip ospf network point-to-point P ! router ospf 1 network 0.0.0.0 255.255.255.255 area 0 ! int loopback 0 ip ospf network point-to-point PE2 ! router ospf 1 network 4.4.4.0 0.0.0.255 area 0 network 170.10.10.4 0.0.0.3 area 0 passive-interface fa0/0 ! int loopback 0 ip ospf network point-to-point

2.

Configure MPLS on all physical interfaces in the service provider domain, do not configure MPLS on physical interfaces pointing towards the customer. PE1 ! ip cef ! int fa0/1 mpls ip PE2 ! ip cef ! int fa0/1 mpls ip P ! ip cef ! int fa0/1 mpls ip ! int fa0/0 mpls ip

3.

Configure VRF "customer" on PE1 and PE2 as following: RD 100:1 Route-target both 1:100

PE1 ! ip vrf CUSTOMER rd 100:1 route-target export 1:100 route-target import 1:100 PE2 ! ip vrf CUSTOMER rd 100:1 route-target export 1:100 route-target import 1:100

4.

On router PE1 and PE2 add the interfaces pointing towards the customer to the VRF you just created. PE1 ! int fa0/0 ip vrf forwarding CUSTOMER ip address 100.100.100.2 255.255.255.0 PE2 ! int fa0/0 ip vrf forwarding CUSTOMER ip address 200.200.200.1 255.255.255.0

5.

Ensure you can ping from within the VRF, try this as following on PE1: ping vrf customer 192.168.12.1 PE1 ! ping vrf CUSTOMER 100.100.100.1 PE2 ! ping vrf CUSTOMER 200.200.200.10

6.

Configure OSPF Area 0 on router HQ and Branch. Advertise the loopbacks as well. Ensure you receive prefixes from the customer routers on your PE routers. ASA ! router ospf 2 network 100.100.100.1 0.0.0.0 area 0 Branch ! router ospf 2 network 200.200.200.10 0.0.0.0 area 0

7.

Configure OSPF on router PE1 and PE2 for the correct VRF "customer". PE1 ! router ospf 2 vrf CUSTOMER network 100.100.100.0 0.0.0.255 area 0 PE2 ! router ospf 2 vrf CUSTOMER network 200.200.200.0 0.0.0.255 area 0 Verify:

PE1 ! show ip route vrf CUSTOMER

8.

Configure BGP AS 1 between Router PE1 and PE2. PE1 ! router bgp 1 neighbor 4.4.4.4 remote-as 1 neighbor 4.4.4.4 update-source loopback 0 PE2 ! router bgp 1 neighbor 2.2.2.2 remote-as 1 neighbor 2.2.2.2 update-source loopback 0

9.

Configure the correct BGP address families and make sure communities are sent between neighbors. PE1 ! router bgp 1 address-family vpnv4 neighbor 4.4.4.4 activate neighbor 4.4.4.4 send-community both PE2 ! router bgp 1 address-family vpnv4 neighbor 2.2.2.2 activate neighbor 2.2.2.2 send-community both

10.

Redistribute OSPF into BGP, use the correct address-family for the VRF "customer". PE1 ! router bgp 1 address-family ipv4 vrf CUSTOMER redistribute ospf 2 vrf CUSTOMER PE2 ! router bgp 1 address-family ipv4 vrf CUSTOMER redistribute ospf 2 vrf CUSTOMER Verify:

PE1 ! show ip route vrf CUSTOMER PE1 ! router ospf 2 vrf CUSTOMER redistribute bgp 1 subnets PE2 ! router ospf 2 vrf CUSTOMER redistribute bgp 1 subnets

11.

The OSPF prefixes on the HQ and Branch router are showing up as O IA (Inter-Area). Change this so they show up as E2 routes. PE1 ! router ospf 2 vrf CUSTOMER domain-id 0.0.0.1 PE2 ! router ospf 2 vrf CUSTOMER domain-id 0.0.0.5 Verify the OSPF routes are now showing as E2 routes: Branch# sh ip route

12.

You notice packets are being sent through the backup serial link stead of the MPLS Backbone. Make sure all packets are sent through the MPLS Backbone without removing OSPF on the serial link or shutting down the interface. We will configure the OSPF SHAM-LINK to solve this problem: PE1

! int loopback 1 ip vrf forwarding CUSTOMER ip address 22.22.22.22 255.255.255.255 PE2 ! int loopback 1 ip vrf forwarding CUSTOMER ip address 44.44.44.44 255.255.255.255 PE1 ! router bgp 1 address-family ipv4 vrf CUSTOMER network 22.22.22.22 mask 255.255.255.255 PE2 ! router bgp 1 address-family ipv4 vrf CUSTOMER network 44.44.44.44 mask 255.255.255.255

SHAM-LINK:

PE1 ! router ospf 2 vrf CUSTOMER area 0 sham-link 22.22.22.22 44.44.44.44 cost 1 PE2 ! router ospf 2 vrf CUSTOMER area 0 sham-link 44.44.44.44 22.22.22.22 cost 1

PART 2: CONFIGURE A DEFAULT ROUTE THROUGH THE MPLS BACKBONE:

HQ ! router ospf 2 redistribute static subnets default-information originate ! interface FastEthernet0/0 ip nat inside ! interface FastEthernet0/1 ip nat inside ! interface FastEthernet1/0 ip nat outside ! ip nat inside source list NAT interface fastEthernet 1/0 overload ! ip access-list extended NAT permit ip any any PE1 ! router ospf 2 vrf CUSTOMER default-information originate ! router bgp 1 address-family ipv4 vrf CUSTOMER redistribute ospf 2 vrf CUSTOMER match internal external 1 external 2 default-information originate PE2 ! router ospf 2 vrf CUSTOMER default-information originate !

router bgp 1 address-family ipv4 vrf CUSTOMER redistribute ospf 2 vrf CUSTOMER match internal external 1 external 2 default-information originate Branch ! ip route 0.0.0.0 0.0.0.0 190.10.45.1 permanent